FCP_FSA_AD-5.0 FCP - FortiSandbox 5.0 Administrator Questions and Answers

From the Deployment and System Settings lesson, the Study Guide states:

" You can submit emails from an upstream MTA server to FortiSandbox using a BCC adapter. FortiSandbox will extract attachment files and URLs in an email body. "

For a BCC adapter to function correctly, two critical prerequisites must be in place:

Option C — The upstream SEG must be configured to BCC emails to a FortiSandbox sub-domain so that email copies are routed to FortiSandbox for analysis

Option D — An MX record must be added to the DNS server for the BCC email sub-domain, so that the sub-domain resolves to the FortiSandbox IP address, allowing the SEG to properly deliver BCC email copies

Option A is incorrect because the BCC adapter handles full email inspection — FortiSandbox itself extracts files and URLs rather than the SEG doing this. Option B is incorrect because an MX record (not just an A record) is the required DNS configuration for email routing.

From the FortiClient EMS Integration lesson, the Study Guide explicitly states:

" It is always a good idea to place the files that are submitted by FortiClient, high on the Job Queue Priority since these are files that end users need immediate access to. In most cases, end users might not be willing to wait for a long time to access these files and placing the FortiClient submitted files high on the Job Queue Priority ensures that these files receive high priority for scanning from FortiSandbox. "

Looking at the exhibit, the Job Priority Configuration shows:

Positions 1-4: On-Demand inputs (highest priority)

Position 5: FortiGate InlineBlock

Positions 6-11: Other sources including FortiWeb, File RPC, Device, FortiClient

As a best practice, FortiClient should rank after On-Demand (positions 1-4) but before FortiGate inputs — since end users need immediate file access, FortiClient submissions should be near the top but On-Demand scanning takes highest precedence.

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" The Pipeline Mode feature improves performance by allowing to scan multiple files, one at a time, without shutting down the VM instance after scanning each file. "

" FortiSandbox will continue scanning files without shutting down the VM instance, as long as the VM status hasn ' t changed. If the VM status changes, then the VM instance will shut down and will be restored for the next job. "

This precisely matches the requirement — using one VM instance for multiple sequential scan jobs without shutting down between submissions. The other options serve different purposes:

Adaptive Scan dynamically adjusts clone numbers

VM Scan Ratio controls the percentage of jobs scanned in a VM

Parallel VM Scan runs multiple VMs simultaneously for a single job

The Study Guide states that in an HA cluster, “As well as normal scanning duties, the primary node also manages the cluster, distributes jobs, and gathers the verdicts.” It also says that “The worker nodes provide load balancing. The primary node distributes scan jobs to the worker nodes.”

From those official statements, the primary node is not just a coordinator. It also performs normal scanning duties itself, while distributing scan jobs across worker nodes for load balancing. That rules out A, because the secondary node is for failover, not normal job distribution. It rules out C, because the primary is not restricted to itself only. It also rules out D, because the primary can still perform scanning duties and is not limited to sending all jobs only to workers. Therefore, when the primary receives MTA jobs, the correct behavior is that it distributes the MTA jobs to itself or to worker nodes .

From the Deployment and System Settings lesson, the Study Guide explicitly states:

" The status command shows information about the system, including firmware level, device serial number, disk usage, Windows VM status, states of the boot and data disks, and more. For VM appliances, it will also show the FortiSandbox license status. "

The key phrase is " For VM appliances, it will also show the FortiSandbox license status " — making the status command the correct choice for verifying license validity on a FortiSandbox VM deployment.

While vm-license -l shows installed Windows/Microsoft Office license keys, and vm-status shows guest VM image information, neither directly reports on the FortiSandbox appliance license validity. The status command is the definitive command for checking overall system and license status.

The Study Guide explains the default behavior first: “You must authorize FortiClient EMS on FortiSandbox. FortiSandbox automatically authorizes all FortiClient endpoints managed by an authorized FortiClient EMS.” It then adds the key point for this question: “To change the default FortiClient authorization behavior, use the command shown on this slide to authorize FortiClient endpoints using FortiSandbox CLI. By default, FortiClient inherits its authorization status from the managing EMS or FortiGate.”

Because the question specifically shows the CLI command set device-authorization -a , it is asking about the behavior after changing the default . The default inheritance model described in option A applies before the override. After this command, FortiSandbox is set to authorize FortiClient endpoints directly and automatically , which makes C the correct answer. Option B is incorrect because the command is specifically about FortiClient endpoints , not other devices in general. Option D is too broad and does not match the Study Guide’s explanation, which is limited to FortiClient authorization behavior.

The correct answer is C. cleandb . The FortiSandbox 5.0 Administrator Study Guide explicitly states: “The cleandb command will erase all stored data in the FortiSandbox database and reboot the system.” This directly matches the scenario, because the issue is that FortiSandbox contains many obsolete samples and related stored analysis data that are no longer needed. Removing those database contents is exactly what cleandb is designed to do.

The other options do not fit this requirement. The same study guide section says “The log-purge command will remove all system logs,” which affects logs only, not the stored sample database. It also says “The fsck-storage command will check the integrity of the hard disks and repair them if any issues are discovered,” which is for disk integrity troubleshooting, not cleanup of obsolete samples. A factory reset would be far more destructive and is not the stated maintenance tool for this issue. Therefore, cleandb is the correct CLI remediation tool.

The Results Analysis section gives direct malware-type definitions. It says: “A downloader attempts to download malicious content from a remote system” , “A dropper installs malicious content” , “A trojan appears to be a legitimate software application” , and most importantly, “A rootkit attempts to hide its components by replacing valid system files.”

That exact wording matches the question statement about malware attempting to replace vital system executables . Replacing valid system files is classic rootkit behavior because the purpose is concealment and persistence by hiding malicious components behind trusted operating-system files. A dropper’s main role is delivering payloads. A trojan is mainly deceptive software that appears legitimate. An exploit takes advantage of a vulnerability. None of those definitions match the described behavior as precisely as the rootkit definition in the Study Guide. Therefore, the malware type being observed is Rootkit .

The best answer is B . The Study Guide explains that under VM settings, “FortiSandbox has a Browser selection that allows you to choose which internet browser the VM instance will use. This helps to customize the test using an internet browser that more closely resembles the user’s environment or just monitor if the test delivers different results.” It also states that the default browser choices are Internet Explorer, Firefox, Chrome, and Edge . In addition, the guide says that “The VM images provided by Fortinet might not suit your needs… You can generate a custom VM that fits your organization’s needs and upload it to FortiSandbox.”

Because only endpoints using Opera are affected, the clean verdict likely occurred because the sandbox environment does not accurately reproduce the exploited browser environment. The most effective fix is to make the sandbox environment match the real target environment more closely by using a custom VM with the same browser behavior as the affected endpoints. The other answers do not address the root cause. STIX/TAXII is unrelated, changing the scan profile file type does not solve a browser-specific exploit path, and job queue priority affects order, not analysis fidelity. Therefore, the required action is to configure a custom VM to use the same browser as the exploited end stations .